Storing money safely is an age old problem that society has dealt with for about as long as people have used money to buy goods and services from each other. Over time, banks have become the societal norm for safekeeping money. And while brick-and-mortar banks are generally safe, just about any Bonnie or Clyde can tell you that they get robbed from time to time. Nowadays, with the advent of digital wallets and online banking, bank robberies are happening digitally, too. Cryptocurrencies have become more prevalent than ever in the last decade, and a new breed of financial institutions have to fill in the gaps that traditional banks (at least for now) have. Keeping your digital money secure can be harder than it’s ever been.
The evolution of the wallet
Because we currently do not have banks to store our cryptocurrencies, we have to use other services. These services can be confusing and not always easy to understand as the concept is fundamentally different from fiat banking (i.e. "physical" or traditional money). The attackers know this very well and they are ready to exploit this if they find out you own some of that sweet, lovely cryptocurrency.
Cryptocurrencies are always stored on singular blockchains, but accessing these funds can be done in numerous ways. One of the most popular ways to store crypto is to use a cryptocurrency wallet. These wallets are your own personal access to your funds on the blockchain; the major difference between a crypto wallet and a crypto exchange is that you possess and are responsible of your personal “keys” to your crypto wallet. With this comes great responsibility: your funds are only as safe as you keep them. If your wallet gets destroyed or compromised you can recover access to it on another device using a “recovery phrase”. This password, of sorts, is the lifeline between you and your crypto, but these recovery phrases could also be its demise as well as attackers, phishers, and malicious persons are hungry to hack you (or simply phish you) for access to them. If they manage to gain your recovery phrase, they can access your wallet from anywhere in the world and transfer your money wherever they like - and there is no going back.
Showcasing an example: MetaMask
Recovery phrase phishing emails regarding crypto wallets are not common, because the majority of adults in the world do not use these services. However, if an attacker can identify someone who owns a substantial amount of crypto — and better yet, knows what kind of a wallet they have — these wallets are a lucrative target. Let's go through an excellent example where this scenario of spear phishing attack happened.
Here's a fake Metamask wallet verification email
Below, we have an email that was sent to one of our clients. Metamask is a popular crypto wallet that works in your browser. This email, even though it's a fake, looks (almost) indistinguishable from the real thing. It's clear that there's been a lot of work done to make this malicious email appear professional and the messaging within it is clear and reasonable. Even the email subject — “Reminder” — isn’t too alarming... but it does start you down the garden path of reading the email. “Know your customer” regulations are not something most people outside of the cryptocurrency world would know about, but they sound like a real thing (and they are — it looks like these phishers really did their homework). The logo and the style match Metamask's branding. The sender even named themselves as Metamask, but the email address itself looks to be a stolen credential unrelated to Metamask.
So what happens when we click the link? Here, take a look. It's eerily similar... almost an exact copy... of the appropriate MetaMask website it's emulating.
And here's a fake Metamask website used for stealing recovery phrases
Just like the email we received, the website that we're taken to looks exactly like the real Metamask website does. This can be done by cloning the original site and modifying it ever so slightly. Before the input fields you even have a transition phase to prepare yourself for what is coming. After entering the recovery phrase the website takes you to the real Metamask FAQ page. At this point the attacker would have received the recovery phrase and likely transferred the funds somewhere else. The only two differences here are the url - which was a randomly generated one - and that there isn’t a place on the real website where you can enter your recovery phrase. Metamask states quite explicitly in their support page that they will never ask your recovery phrase from you. It's worth noting that the cloned website looks so much like the real thing that it's no wonder that it's easy to get tricked.
The greatest flaw of this attack, however, is the fact that creating a Metamask wallet doesn’t require you to enter any email address (for reference, neither does an offline wallet called Daedalus). Crypto exchanges require an email address and more, but wallets don’t seem to need that. So, rationally thinking, the user who received this email should realise that Metamask can’t contact them by email because they don’t have their email address. The attacker exploits this knowledge gap and uses urgency and a fear of repercussions to replace rational thinking with emotions.
Luckily, these types of phishing emails are rare and you probably won’t encounter them unless you're a frequent crypto trader. Crypto scammers are sometimes one of the most creative scammers out there, so be sure to remember that phishing for your recovery phrase can happen through multiple mediums such as social media or chat servers like Discord. In fact, Discord based scams are extremely common.
Staying off the hook
- Keep your keys close to your heart. One of the most important lessons in the crypto space is to never give out your recovery phrase to anyone or anywhere. Most likely the services you use will never ask it from you unless you need to recover your wallet. Remember to read what your wallet/exchange rules are on this.
- Should these people have my email address? Many wallets don’t require an email address to work. Do you remember what information you gave them when signing up? Do the research and know the terms of the service you use.
- Don’t advertise your crypto to anyone. It might be tempting to boast about your portfolio to others online or to mention how easy and fast it is to use the service X that you do. This information can quickly be turned into an attack against you and it might not be just an email that they’ll throw at you.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt